And SSH for Win32 and Unix platforms, along with an xterm terminal emulator.Dropping a malicious USB key in a parking lot is an effective attack vector, as demonstrated by our recent large-scale study. The Arp-scan command uses the Address Resolution Protocol (ARP) to identify. Re-login to the CLI again. The last command causes the connection to be reset. By running these commands, Sweet 32 and any attack that uses weak cipher vulnerabilities on the management plane are mitigated. The first command clears the device config for SSH, and the rest of the commands configure the SSH parameters again.The screen will be filled up with a lot of information along with the MAC address. Open the app and then type the command: ‘ip link’. After discussing the pros and cons of the three types of malicious USB keys, this post will walk you through how to create a spoofed HID keys like the one I demoed at the Blackhat conference during my talk on USB drop attacks:Note down the MAC address of the device and then download Android Terminal Emulator from Google Play Store.Therefore, the first question to answer is which type of attack will best meet our needs. Understanding malicious USB attack vectorsThere are three classes of malicious USB keys, each with their own set of advantages and disadvantages. This post, as my other blog posts, are only for educational purposes and not an invitation to hack systems that don't belong to you. The address is shown after link/ether on the second line:You can get the slides here and the related code here.Before getting started, here is a demo of the key in action, to give you a sense of what the end result looks like:Disclaimer: USB attacks should be carried out only against systems that you own or have permission to attack. Specifically, ip address show wlan0 will give you the MAC for the Wi-Fi chip on most devices. Terminal Emulator Address Change Free Wifi These Contents 1 What is MAC Address or WiFi MAC Address 1.1 Why would you want to change it 1.2 How to Find MAC Address on Android Devices 2 Change MAC Address or WiFi MAC Address on Android 2.1 Checking Root Availability 2.1.1 Note 3 Method 1 Change MAC Address without Root Access 3.0.1 Limitations: 4 Method You can run ip address from a terminal or adb shell to get the MAC address.This fake keyboard injects keystrokes as soon as the device is plugged into the computer. The three types of attackHID (Human Interface Device) spoofing: HID spoofing keys use specialized hardware to fool a computer into believing that the USB key is a keyboard. Lets briefly discuss the various types of attack as well as their strengths and weaknesses, so that it is clear why HID spoofing keys are the way to go for our use case.
Terminal Emulator Attack Command On Address Full Remote ControlHere is a brief discussion of the trade-offs.Complexity and Cost: The first aspect to consider is how difficult and costly it is to create each type of key. The strengths and weaknesses Attack vectorTo assess which type of attack is best suited for a drop attack, we evaluated the strengths and weaknesses in the four areas reported in the table above. AFAIK, none of those have been publicly discussed. As we will see later in the post (spoiler alert!), with a bit of work and ingenuity, we will create a HID device that spawns a reverse TCP shell that will give us full remote control over the victims computer.0-day: Those rumored keys are likely to use custom hardware that exploits a vulnerability in a USB driver to get direct control of a computer as soon as it is plugged in. However, they require a lot of testing to get the times between commands correct. A HID key can be made to be very reliable as it will trigger the attack as soon as the key is plugged in. The social engineering approach is the least reliable attack because it requires the user not only to plug the key in but also to click on a file and then fill in the phishing form. The elusive 0-day-based keys are likely much harder to make as they require finding a 0-day vulnerability, implementing the low-level code to exploit it, and creating a realistic-looking key to deliver it.Reliability: The second aspect to take into account is how reliable the attack will be. HID-based keys are moderately difficult to create as off-the-shelf hardware must be programmed and their appearance customized. Finally, a 0-day-based attack will be completely invisible, as it is at the driver level. Once the attack has been carried out, there is nothing left to see, so this type of attack is less obvious than the social engineering one. A HID-based attack has to spawn a terminal and very quickly inject a set of commands that is very visible but only for a short period of time. This might be a good thing if you are doing a study like we did. Social engineering attacks are very obvious, as you have files with HTML extensions. Access shared calendar in outlook 2010 for macA 0-day attack is obviously not portable, as it exploits a bug that is only present in a specific version of a specific OS. A HID-based attack can be made cross-platform, but this requires quite a bit of work as discussed later. A social engineering attack is by nature cross-platform, as HTML files are understood by every OS. However, for a pen test or a broad spectrum attack, it is likely that the targets will be a diverse pool of Windows, OS X and even Linux computers. If it is a targeted attack, the OS and even the specific version might be known. This change of purpose forced me to innovate and solve the following challenges.Be cross-platform: During a drop attack, we have no control on which computer the device will be plugged into, so we need a device that can work on as many OSes as possible. However, so far HID devices have mostly been designed to be operated by the attacker or pen tester, and they have not been designed for being dropped in the street and operated by potential victims. Challenges in making a HID-based attack practicalLet me start by saying that creating a malicious HID USB key is hardly new! Adrian Crenshaw did the first demo at Defcon 18 in 2010. This is why for Blackhat I focussed on creating the most reliable and realistic HID device possible. Why HID spoofing is the way to goOverall, it is clear that HID spoofing keys offer the best trade-off between reliability, cost and complexity for a drop attack. This multi-exploit strategy is what Flamme did by embedding multiple exploits to target various Windows versions. This forces us to not rely on downloading anything and ensuring our payload retries to connect periodically. Similarly, the payload needs to account for the fact that the victims computer might not be connected to the Internet when the key is plugged in. Therefore, we need to create a persistent way to access the compromised computer at the time of our choosing. This is essential for reliability, as issuing commands before the driver is loaded will result in these commands being lost and never executed.OS fingerprinting: What needs to be typed to compromise the computer depends on its OS. Those three phases are:Testing if the HID device is loaded: The first stage involves ensuring that the key is recognized by the OS and that the USB driver is loaded. On top of all of this, the payload length needs to be small, as keyboard throughput is capped to 62.5 keys per second on some OSes.Compromising a computer using a HID device is done in three stages, as depicted in the diagram above. ![]()
0 Comments
Leave a Reply. |
AuthorLoki ArchivesCategories |